You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/03/18 10:01:39 UTC

[Bug 65193] New: directive does not only match the basename

https://bz.apache.org/bugzilla/show_bug.cgi?id=65193

            Bug ID: 65193
           Summary: <Files> directive does not only match the basename
           Product: Apache httpd-2
           Version: 2.4.46
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: bugs@httpd.apache.org
          Reporter: markjenkins@mailfish.de
  Target Milestone: ---

The documentation says that <Files> is "applied to any object with a basename
(last component of filename) matching the specified filename". This does not
always seem to be the case.

Consider this configuration:

DocumentRoot /var/www/html
# Deny access to "hidden" files
<Files ".*">
        Require all denied
</Files>

Assume that /var/www/html/.well-known does not exist.
Then the request "GET /.well-known/security.txt" returns 403 Forbidden instead
of the expected 404 Not Found although .well-known is not the basename of the
requested file.

If /var/www/html/.well-known/ exists, but
/var/www/html/.well-known/security.txt does not, we get the expected 404 Not
Found.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org